W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: What will incentivize deployment of explicit proxies?

From: Peter Lepeska <bizzbyster@gmail.com>
Date: Tue, 10 Dec 2013 11:25:06 -0500
Message-ID: <CANmPAYHDZ0=NiOD4qc8rbTo7_NXVzZQFfOLZUQqkF4-SkDhS1Q@mail.gmail.com>
To: William Chan (陈智昌) <willchan@chromium.org>
Cc: Albert Lunde <atlunde@panix.com>, HTTP Working Group <ietf-http-wg@w3.org>
"Since we cannot break in these situations, user installed root
CAs are given the authority to override pins."

Wouldn't browser manufacturers prefer to come up with a way to allow
proxies to operate that does not defeat the purpose of deploying pinned
certs? Wouldn't proxy vendors (often security companies) prefer not to slow
the pace of security improvements in web browsers? Accepting MITMs, and
taking the teeth out of security functionality in order to allow them to
continue to work, creates a stalemate situation where security
and usability cannot advance.

Isn't it the purpose of protocol designers to break this type of stalemate?

Peter


On Tue, Dec 10, 2013 at 2:52 AM, William Chan (陈智昌)
<willchan@chromium.org>wrote:

> I don't fully understand your email. From what I can tell, the main point
> is that there are some subtle differences amongst trusted CAs for proxies
> vs origin servers, and software should distinguish these. It may be true
> that software can distinguish the differences here, but it may be very
> difficult for end users to grok the differences.
>
>
> On Mon, Dec 9, 2013 at 10:14 PM, Albert Lunde <atlunde@panix.com> wrote:
>
>>  I would tend to argue that, in the web browser case, the list of
>> configured trusted proxies and/or configured trusted CAs for proxies should
>> go in a separate "bucket" from trusts for CAs used web servers, and should
>> distinguish GET vs CONNECT tunnels.
>>
>> It's not so much that typical end users care about trusting a FOO-server
>> vs a BAR-server (though maybe they should), but it should be possible to
>> manage the proxies in use by some means, and that software  may care about
>> these distinctions.
>>
>>
>>
>>
>
Received on Tuesday, 10 December 2013 16:25:33 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:20 UTC